title: New Application in AppCompat
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/05/02
description: A General detection for a new application in AppCompat. This indicates
    an application executing for the first time on an endpoint.
detection:
    SELECTION_1:
        EventID: 12
    SELECTION_2:
        EventID: 13
    SELECTION_3:
        EventID: 14
    SELECTION_4:
        TargetObject: '*\AppCompatFlags\Compatibility Assistant\Store\\*'
    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and SELECTION_4)
falsepositives:
- This rule is to explore new applications on an endpoint. False positives depends
    on the organization.
- Newly setup system.
- Legitimate installation of new application.
id: 60936b49-fca0-4f32-993d-7415edcf9a5d
level: informational
logsource:
    category: registry_event
    product: windows
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/1
- https://threathunterplaybook.com/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.html
status: experimental
tags:
- attack.execution
- attack.t1204.002
yml_filename: sysmon_new_application_appcompat.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event